From sean at cyberia.coldstream.ca Mon Nov 3 19:11:33 2008 From: sean at cyberia.coldstream.ca (Sean Rooney [cyberia]) Date: Mon, 3 Nov 2008 13:11:33 -0500 (EST) Subject: [Openvas-discuss] openVAS & OSX Message-ID: <61310.64.229.24.135.1225735893.squirrel@cyberia.coldstream.ca> Question: has anyone worked on making openVAS work under the OSX 10.4 [tiger] or OSX 10.5 [Leopard] operating systems? about 5 or 6 years ago we ported nessus 2.x to OSX panther and it works quite well. I do not expect any major problems but felt that i needed to ask the question. Thanks -sr -- :-) From jan-oliver.wagner at intevation.de Wed Nov 5 10:12:04 2008 From: jan-oliver.wagner at intevation.de (Jan-Oliver Wagner) Date: Wed, 5 Nov 2008 10:12:04 +0100 Subject: [Openvas-discuss] openVAS & OSX In-Reply-To: <61310.64.229.24.135.1225735893.squirrel@cyberia.coldstream.ca> References: <61310.64.229.24.135.1225735893.squirrel@cyberia.coldstream.ca> Message-ID: <200811051012.05942.jan-oliver.wagner@intevation.de> On Montag, 3. November 2008, Sean Rooney [cyberia] wrote: > has anyone worked on making openVAS work under the OSX 10.4 [tiger] or OSX > 10.5 [Leopard] operating systems? > > about 5 or 6 years ago we ported nessus 2.x to OSX panther and it works > quite well. > > I do not expect any major problems but felt that i needed to ask the > question. I am not aware of any developer or user for Mac OS X. But I would appreciate effords to test, perhaps adapt, for Mac OS X. Best Jan -- Dr. Jan-Oliver Wagner Intevation GmbH, Osnabr?ck Amtsgericht Osnabr?ck, HR B 18998 http://www.intevation.de/ Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner From jandradas at gmv.com Wed Nov 5 10:57:07 2008 From: jandradas at gmv.com (Jonas Andradas Arias) Date: Wed, 5 Nov 2008 10:57:07 +0100 Subject: [Openvas-discuss] openVAS & OSX References: <61310.64.229.24.135.1225735893.squirrel@cyberia.coldstream.ca> <200811051012.05942.jan-oliver.wagner@intevation.de> Message-ID: <37F4A378F4156446B5B25B616830B5A55BDCAD@GMVMAIL2.gmv.es> Hello, Although I have no MacOS X developer skills, I do have access to a Leopard and a Tiger MacOS X, and I would gladly help in testing. Regards, Jon?s -----Original Message----- From: openvas-discuss-bounces at wald.intevation.org on behalf of Jan-Oliver Wagner Sent: Wed 11/5/2008 10:12 AM To: openvas-discuss at wald.intevation.org Subject: Re: [Openvas-discuss] openVAS & OSX On Montag, 3. November 2008, Sean Rooney [cyberia] wrote: > has anyone worked on making openVAS work under the OSX 10.4 [tiger] or OSX > 10.5 [Leopard] operating systems? > > about 5 or 6 years ago we ported nessus 2.x to OSX panther and it works > quite well. > > I do not expect any major problems but felt that i needed to ask the > question. I am not aware of any developer or user for Mac OS X. But I would appreciate effords to test, perhaps adapt, for Mac OS X. Best Jan -- Dr. Jan-Oliver Wagner Intevation GmbH, Osnabr?ck Amtsgericht Osnabr?ck, HR B 18998 http://www.intevation.de/ Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner _______________________________________________ Openvas-discuss mailing list Openvas-discuss at wald.intevation.org http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss ______________________ Este mensaje, y en su caso, cualquier fichero anexo al mismo, puede contener informacion clasificada por su emisor como confidencial en el marco de su Sistema de Gestion de Seguridad de la Informacion siendo para uso exclusivo del destinatario, quedando prohibida su divulgacion copia o distribucion a terceros sin la autorizacion expresa del remitente. Si Vd. ha recibido este mensaje erroneamente, se ruega lo notifique al remitente y proceda a su borrado. Gracias por su colaboracion. ______________________ This message including any attachments may contain confidential information, according to our Information Security Management System, and intended solely for a specific individual to whom they are addressed. Any unauthorised copy, disclosure or distribution of this message is strictly forbidden. If you have received this transmission in error, please notify the sender immediately and delete it. ______________________ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.wald.intevation.org/pipermail/openvas-discuss/attachments/20081105/e47e35f7/attachment.htm From jan-oliver.wagner at intevation.de Wed Nov 5 11:13:46 2008 From: jan-oliver.wagner at intevation.de (Jan-Oliver Wagner) Date: Wed, 5 Nov 2008 11:13:46 +0100 Subject: [Openvas-discuss] openVAS & OSX In-Reply-To: <37F4A378F4156446B5B25B616830B5A55BDCAD@GMVMAIL2.gmv.es> References: <61310.64.229.24.135.1225735893.squirrel@cyberia.coldstream.ca> <200811051012.05942.jan-oliver.wagner@intevation.de> <37F4A378F4156446B5B25B616830B5A55BDCAD@GMVMAIL2.gmv.es> Message-ID: <200811051113.48477.jan-oliver.wagner@intevation.de> On Mittwoch, 5. November 2008, Jonas Andradas Arias wrote: > Although I have no MacOS X developer skills, I do have access to a Leopard and a Tiger MacOS X, and I would gladly help in testing. Just go ahead and report probblems, if there are any. We'll then see what can do about it. Best Jan -- Dr. Jan-Oliver Wagner Intevation GmbH, Osnabr?ck Amtsgericht Osnabr?ck, HR B 18998 http://www.intevation.de/ Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner From jan-oliver.wagner at intevation.de Thu Nov 6 12:12:26 2008 From: jan-oliver.wagner at intevation.de (Jan-Oliver Wagner) Date: Thu, 6 Nov 2008 12:12:26 +0100 Subject: [Openvas-discuss] Anyone has experiences with ATK? Message-ID: <200811061212.28350.jan-oliver.wagner@intevation.de> Hi, I was made aware of ATK: http://www.computec.ch/projekte/atk/ Anyone has experiences or opinions about this? At least it seems they have some sort of relation to NASL scripts. Best Jan -- Dr. Jan-Oliver Wagner Intevation GmbH, Osnabr?ck Amtsgericht Osnabr?ck, HR B 18998 http://www.intevation.de/ Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner From traef at ebasedsecurity.com Tue Nov 4 21:04:13 2008 From: traef at ebasedsecurity.com (Thomas Raef) Date: Tue, 4 Nov 2008 14:04:13 -0600 Subject: [Openvas-discuss] Command line client? Message-ID: Is there a command line client for openvas? I'd like to be able to batch a series of scans. Anyone with the answer? Thank you in advance. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.wald.intevation.org/pipermail/openvas-discuss/attachments/20081104/3cf92b4b/attachment.html From tnguyen at slacker.com Wed Nov 5 02:06:58 2008 From: tnguyen at slacker.com (Toan Nguyen) Date: Tue, 4 Nov 2008 17:06:58 -0800 Subject: [Openvas-discuss] OpenVAS latest 1.x packages - Problems and solutions to them Message-ID: <40AB5A80E5E562409254E65CBACFE2BD02D28A6C@BBMAIL.corp.bbi.com> Hi all, This software is a great alternative to Nessus. Thank you very much for making OpenVAS free and easy to use. There are a couple things that weren't so smooth for me during installation that I would like to point out: 1. The INSTALL_README file in openvas-libraries-1.0.2 doesn't indicate which version of gnutls it needs. I had 1.0.20 installed along with the development files and I still couldn't compile the libraries. It was gnutls 2.x that solved the issue. Pointing this out would have been a great help. 2. If you compiled all the openvas components to the non default path (ie. ./configure -prefix=/whatever/path) there is no flag to specify where you install the dependences for the other subsequent components. Example, if I installed libnasl in /opt/openvas-libnasl, there is no flag in the configure script of the openvas-libraries to point where I installed libnasl. You would have to hack the configure script and change the hard-coded paths. Modifying the configure script to look for non-default installation paths of its dependences would be a great addition. 3. The 'openvas-nvt-sync' is broken out of the box, at least it was for me. Apparently, it seems that the FEED variable was declared incorrectly. UNSUCCESSFUL: FEED=rsync://rsync.openvas.org:/nvt-feed SUCCESSFUL: FEED=rsync at rsync.openvas.org::nvt-feed I have installed OpenVAS on a RHEL4 Dell 1950 server. If any of you have questions/comments about my installation or need help installing it, feel free to email me. I would have posted this on a forum but the OpenVAS team hasn't implemented one yet. I hope my comments/suggestions were helpful in some way. Thank you. -Toan tnguyen at slacker.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.wald.intevation.org/pipermail/openvas-discuss/attachments/20081104/f4e9c9b0/attachment.htm From michael.wiegand at intevation.de Thu Nov 6 12:33:31 2008 From: michael.wiegand at intevation.de (Michael Wiegand) Date: Thu, 6 Nov 2008 12:33:31 +0100 Subject: [Openvas-discuss] Command line client? In-Reply-To: References: Message-ID: <200811061233.31536.michael.wiegand@intevation.de> [Tuesday 04 November 2008 - 21:04:13] "Thomas Raef" : > Is there a command line client for openvas? > > > > I'd like to be able to batch a series of scans. You can use the GUI client as a command line client as well, the "--help" option lists the available options and should help you to get up and running. If you don't need the GTK interface at all, you might want to configure openvas-client with the "--disable-gtk" parameter, that way you can run and compile openvas-client on systems without GTK as well. I hope I was able to answer your question; let us know if you need help. Regards, Michael -- Michael Wiegand | OpenPGP key: D7D049EC | http://www.intevation.de/ Intevation GmbH, Neuer Graben 17, 49074 Osnabr?ck | AG Osnabr?ck, HR B 18998 Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner From timb at nth-dimension.org.uk Thu Nov 6 12:38:21 2008 From: timb at nth-dimension.org.uk (Tim Brown) Date: Thu, 6 Nov 2008 11:38:21 +0000 Subject: [Openvas-discuss] Command line client? In-Reply-To: References: Message-ID: <200811061138.21984.timb@nth-dimension.org.uk> On Tuesday 04 November 2008 20:04:13 Thomas Raef wrote: > Is there a command line client for openvas? > > > > I'd like to be able to batch a series of scans. > > > > Anyone with the answer? > > > > Thank you in advance. Yes, OpenVAS-Client can do both GUI and command line scans. I'm going to sit down with the guys where I work and brain storm what features the CLI needs to improve it (a general comment is that people don't want to have to preconfigure the config in a file but would rather pass more flags to OpenVAS-Client). Cheers, Tim -- Tim Brown From jan-oliver.wagner at intevation.de Thu Nov 6 14:06:42 2008 From: jan-oliver.wagner at intevation.de (Jan-Oliver Wagner) Date: Thu, 6 Nov 2008 14:06:42 +0100 Subject: [Openvas-discuss] OpenVAS latest 1.x packages - Problems and solutions to them In-Reply-To: <40AB5A80E5E562409254E65CBACFE2BD02D28A6C@BBMAIL.corp.bbi.com> References: <40AB5A80E5E562409254E65CBACFE2BD02D28A6C@BBMAIL.corp.bbi.com> Message-ID: <200811061406.43633.jan-oliver.wagner@intevation.de> On Mittwoch, 5. November 2008, Toan Nguyen wrote: > This software is a great alternative to Nessus. Thank you very much for > making OpenVAS free and easy to use. you are welcome :-) > There are a couple things that > weren't so smooth for me during installation that I would like to point > out: > > 1. The INSTALL_README file in openvas-libraries-1.0.2 doesn't > indicate which version of gnutls it needs. I had 1.0.20 installed along > with the development files and I still couldn't compile the libraries. > It was gnutls 2.x that solved the issue. Pointing this out would have > been a great help. Michael, can you add this hint to INSTALL_README for both, trunk and 1.0 branch? > 2. If you compiled all the openvas components to the non default > path (ie. ./configure -prefix=/whatever/path) there is no flag to > specify where you install the dependences for the other subsequent > components. Example, if I installed libnasl in /opt/openvas-libnasl, > there is no flag in the configure script of the openvas-libraries to > point where I installed libnasl. You would have to hack the configure > script and change the hard-coded paths. Modifying the configure script > to look for non-default installation paths of its dependences would be a > great addition. Not sure I understand the problem: openvas-libraries should not need to know anything about openvas-libnasl. It's only vice versa. > 3. The 'openvas-nvt-sync' is broken out of the box, at least it was > for me. Apparently, it seems that the FEED variable was declared > incorrectly. > > UNSUCCESSFUL: > > FEED=rsync://rsync.openvas.org:/nvt-feed > > SUCCESSFUL: > > FEED=rsync at rsync.openvas.org::nvt-feed Can you let us know the results of this: $ rsync --version (I suspect it is your client that has problems with the URLs). I tested successfully with: rsync version 2.6.9 protocol version 29 > I have installed OpenVAS on a RHEL4 Dell 1950 server. If any of you have > questions/comments about my installation or need help installing it, > feel free to email me. I would have posted this on a forum but the > OpenVAS team hasn't implemented one yet. I hope my comments/suggestions > were helpful in some way. Thank you. This mailing list is a nice forum, btw :-) Thanks for you input! Best Jan -- Dr. Jan-Oliver Wagner Intevation GmbH, Osnabr?ck Amtsgericht Osnabr?ck, HR B 18998 http://www.intevation.de/ Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner From michael.wiegand at intevation.de Thu Nov 6 15:03:06 2008 From: michael.wiegand at intevation.de (Michael Wiegand) Date: Thu, 6 Nov 2008 15:03:06 +0100 Subject: [Openvas-discuss] OpenVAS latest 1.x packages - Problems and solutions to them In-Reply-To: <200811061406.43633.jan-oliver.wagner@intevation.de> References: <40AB5A80E5E562409254E65CBACFE2BD02D28A6C@BBMAIL.corp.bbi.com> <200811061406.43633.jan-oliver.wagner@intevation.de> Message-ID: <200811061503.06383.michael.wiegand@intevation.de> [Thursday 06 November 2008 - 14:06:42] "Jan-Oliver Wagner" : > > 1. The INSTALL_README file in openvas-libraries-1.0.2 doesn't > > indicate which version of gnutls it needs. I had 1.0.20 installed along > > with the development files and I still couldn't compile the libraries. > > It was gnutls 2.x that solved the issue. Pointing this out would have > > been a great help. > > Michael, can you add this hint to INSTALL_README for both, trunk and 1.0 > branch? Done and done. Toan, thanks for spotting this. > > 2. If you compiled all the openvas components to the non default > > path (ie. ./configure -prefix=/whatever/path) there is no flag to > > specify where you install the dependences for the other subsequent > > components. Example, if I installed libnasl in /opt/openvas-libnasl, > > there is no flag in the configure script of the openvas-libraries to > > point where I installed libnasl. You would have to hack the configure > > script and change the hard-coded paths. Modifying the configure script > > to look for non-default installation paths of its dependences would be a > > great addition. > > Not sure I understand the problem: openvas-libraries should not need to > know anything about openvas-libnasl. It's only vice versa. I think Toans point is that you could theoretically configure the components with different prefixes, say -libraries with /opt/openvas-libraries and -libnasl with /opt/openvas-libnasl. I am not quite sure as to why one would want this, but I can imagine this might cause issues, especially if the necessary environment variables are not set. Is it that what you mean, Toan? Regards, Michael -- Michael Wiegand | OpenPGP key: D7D049EC | http://www.intevation.de/ Intevation GmbH, Neuer Graben 17, 49074 Osnabr?ck | AG Osnabr?ck, HR B 18998 Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner From tnguyen at slacker.com Thu Nov 6 22:51:31 2008 From: tnguyen at slacker.com (Toan Nguyen) Date: Thu, 6 Nov 2008 13:51:31 -0800 Subject: [Openvas-discuss] OpenVAS latest 1.x packages - Problems andsolutions to them In-Reply-To: <200811061406.43633.jan-oliver.wagner@intevation.de> Message-ID: <40AB5A80E5E562409254E65CBACFE2BD02D29127@BBMAIL.corp.bbi.com> > 2. If you compiled all the openvas components to the non default > path (ie. ./configure -prefix=/whatever/path) there is no flag to > specify where you install the dependences for the other subsequent > components. Example, if I installed libnasl in /opt/openvas-libnasl, > there is no flag in the configure script of the openvas-libraries to > point where I installed libnasl. You would have to hack the configure > script and change the hard-coded paths. Modifying the configure script > to look for non-default installation paths of its dependences would be a > great addition. Not sure I understand the problem: openvas-libraries should not need to know anything about openvas-libnasl. It's only vice versa. My mistake. I should've proofread it first. Yes, I meant the other way. Below is an example of what I mean. I'm compiling libnasl right now on another machine and it's complaining about gpgme not being installed: configure: error: "" "" "*** gpgme is not installed ! You need to install it before you" "compile openvas-libnasl." Let's see if there is a flag to specify where I installed gpgme. ./configure --help | grep -i gpg And no results are returned. Apparently, libnasl can only detect gpgme in its default installation path. It's not really a big problem for me but it's just convenient if the configure script allows you to input paths of where you installed the dependencies. > 3. The 'openvas-nvt-sync' is broken out of the box, at least it was > for me. Apparently, it seems that the FEED variable was declared > incorrectly. > > UNSUCCESSFUL: > > FEED=rsync://rsync.openvas.org:/nvt-feed > > SUCCESSFUL: > > FEED=rsync at rsync.openvas.org::nvt-feed Can you let us know the results of this: $ rsync --version (I suspect it is your client that has problems with the URLs). I tested successfully with: rsync version 2.6.9 protocol version 29 My rsync version is: rsync version 2.6.3 protocol version 28 > I have installed OpenVAS on a RHEL4 Dell 1950 server. If any of you have > questions/comments about my installation or need help installing it, > feel free to email me. I would have posted this on a forum but the > OpenVAS team hasn't implemented one yet. I hope my comments/suggestions > were helpful in some way. Thank you. This mailing list is a nice forum, btw :-) Oh it is! And, I'm glad you guys addressed my questions in a very timely manner. I guess I'm just spoiled by web forums (ie. phpBB, vbulletin, etc..). Thanks for you input! Best Jan -- Dr. Jan-Oliver Wagner Intevation GmbH, Osnabr?ck Amtsgericht Osnabr?ck, HR B 18998 http://www.intevation.de/ Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner _______________________________________________ Openvas-discuss mailing list Openvas-discuss at wald.intevation.org http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss From tnguyen at slacker.com Thu Nov 6 23:00:17 2008 From: tnguyen at slacker.com (Toan Nguyen) Date: Thu, 6 Nov 2008 14:00:17 -0800 Subject: [Openvas-discuss] OpenVAS latest 1.x packages - Problems andsolutions to them In-Reply-To: <200811061503.06383.michael.wiegand@intevation.de> Message-ID: <40AB5A80E5E562409254E65CBACFE2BD02D2912B@BBMAIL.corp.bbi.com> [Thursday 06 November 2008 - 14:06:42] "Jan-Oliver Wagner" : > > 1. The INSTALL_README file in openvas-libraries-1.0.2 doesn't > > indicate which version of gnutls it needs. I had 1.0.20 installed along > > with the development files and I still couldn't compile the libraries. > > It was gnutls 2.x that solved the issue. Pointing this out would have > > been a great help. > > Michael, can you add this hint to INSTALL_README for both, trunk and 1.0 > branch? Done and done. Toan, thanks for spotting this. > > 2. If you compiled all the openvas components to the non default > > path (ie. ./configure -prefix=/whatever/path) there is no flag to > > specify where you install the dependences for the other subsequent > > components. Example, if I installed libnasl in /opt/openvas-libnasl, > > there is no flag in the configure script of the openvas-libraries to > > point where I installed libnasl. You would have to hack the configure > > script and change the hard-coded paths. Modifying the configure script > > to look for non-default installation paths of its dependences would be a > > great addition. > > Not sure I understand the problem: openvas-libraries should not need to > know anything about openvas-libnasl. It's only vice versa. I think Toans point is that you could theoretically configure the components with different prefixes, say -libraries with /opt/openvas-libraries and -libnasl with /opt/openvas-libnasl. I am not quite sure as to why one would want this, but I can imagine this might cause issues, especially if the necessary environment variables are not set. Is it that what you mean, Toan? That is correct Michael. My previous email shows an example of libnasl not being able to detect a non default path install of a dependency, gpgme. The reason why I'm bringing this up is because I like to install all my apps and their dependencies in a specific location (say /opt/openvas/apps/*). I believe it makes it more organized and it looks cleaner. Also, if I ever needed to set up another instance of that app, I could easily just do a 'rsync' of the tree to another machine and my app would be up and running (only change necessary would be config files). Doing that, I wouldn't need to recompile all the components again. -Toan From jan-oliver.wagner at intevation.de Fri Nov 7 13:57:37 2008 From: jan-oliver.wagner at intevation.de (Jan-Oliver Wagner) Date: Fri, 7 Nov 2008 13:57:37 +0100 Subject: [Openvas-discuss] OpenVAS latest 1.x packages - Problems andsolutions to them In-Reply-To: <40AB5A80E5E562409254E65CBACFE2BD02D29127@BBMAIL.corp.bbi.com> References: <40AB5A80E5E562409254E65CBACFE2BD02D29127@BBMAIL.corp.bbi.com> Message-ID: <200811071357.40768.jan-oliver.wagner@intevation.de> On Donnerstag, 6. November 2008, Toan Nguyen wrote: > My mistake. I should've proofread it first. Yes, I meant the other way. Below is an example of what I mean. I'm compiling libnasl right now on another machine and it's complaining about gpgme not being installed: > configure: error: "" > "" > "*** gpgme is not installed ! You need to install it before you" > "compile openvas-libnasl." > > Let's see if there is a flag to specify where I installed gpgme. > ./configure --help | grep -i gpg > > And no results are returned. Apparently, libnasl can only detect gpgme in its default installation path. It's not really a big problem for me but it's just convenient if the configure script allows you to input paths of where you installed the dependencies. the "usual" way is that "gpgme-config" should be in the path. > UNSUCCESSFUL: > > FEED=rsync://rsync.openvas.org:/nvt-feed > > SUCCESSFUL: > > FEED=rsync at rsync.openvas.org::nvt-feed I've now added a note to the sync script about this. Thanks. Best Jan -- Dr. Jan-Oliver Wagner Intevation GmbH, Osnabr?ck Amtsgericht Osnabr?ck, HR B 18998 http://www.intevation.de/ Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner From tnguyen at slacker.com Fri Nov 7 20:41:20 2008 From: tnguyen at slacker.com (Toan Nguyen) Date: Fri, 7 Nov 2008 11:41:20 -0800 Subject: [Openvas-discuss] OpenVAS latest 1.x packages - Problemsandsolutions to them In-Reply-To: <200811071357.40768.jan-oliver.wagner@intevation.de> Message-ID: <40AB5A80E5E562409254E65CBACFE2BD02D293C0@BBMAIL.corp.bbi.com> On Donnerstag, 6. November 2008, Toan Nguyen wrote: > My mistake. I should've proofread it first. Yes, I meant the other way. Below is an example of what I mean. I'm compiling libnasl right now on another machine and it's complaining about gpgme not being installed: > configure: error: "" > "" > "*** gpgme is not installed ! You need to install it before you" > "compile openvas-libnasl." > > Let's see if there is a flag to specify where I installed gpgme. > ./configure --help | grep -i gpg > > And no results are returned. Apparently, libnasl can only detect gpgme in its default installation path. It's not really a big problem for me but it's just convenient if the configure script allows you to input paths of where you installed the dependencies. the "usual" way is that "gpgme-config" should be in the path. Sure, that's easy enough. After manually putting in gpgme-config in the path, now I can't declare where openvas-libraries are. I even tried using --libdir and exporting LD_LIBRARY_PATH to point to where openvas-libraries are: ./configure --prefix=/opt/openvas/apps/libnasl --libdir=/opt/openvas/apps/libraries And, libnasl still doesn't see it: configure: error: "" "" "*** openvas-libraries is not installed ! You need to install it before you" "compile openvas-libnasl." -Toan > UNSUCCESSFUL: > > FEED=rsync://rsync.openvas.org:/nvt-feed > > SUCCESSFUL: > > FEED=rsync at rsync.openvas.org::nvt-feed I've now added a note to the sync script about this. Thanks. Best Jan -- Dr. Jan-Oliver Wagner Intevation GmbH, Osnabr?ck Amtsgericht Osnabr?ck, HR B 18998 http://www.intevation.de/ Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner _______________________________________________ Openvas-discuss mailing list Openvas-discuss at wald.intevation.org http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss From jan-oliver.wagner at intevation.de Sat Nov 8 21:28:56 2008 From: jan-oliver.wagner at intevation.de (Jan-Oliver Wagner) Date: Sat, 8 Nov 2008 21:28:56 +0100 Subject: [Openvas-discuss] Support scripts for local security checks? Message-ID: <200811082129.00183.jan-oliver.wagner@intevation.de> Hello, I wonder whether it might make sense for users to have shell scripts like "openvas-lsc-prepare-target" and "openvas-lsc-remove-on-target" to that do make the necessary changes on the target system to have it available for local security checks (and undo the changes if needed). Basically it would be about creating a user with low rights and a ssh_authorization on the target system. Basically what is described on http://www.openvas.org/performing_lsc.html Let me know your opinion or alterntive ideas to make the LSC management easier. Best Jan -- Dr. Jan-Oliver Wagner Intevation GmbH Amtsgericht Osnabr?ck, HR B 18998 http://www.intevation.de/ Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner From ron at skullsecurity.net Mon Nov 10 05:10:34 2008 From: ron at skullsecurity.net (Ron) Date: Sun, 09 Nov 2008 22:10:34 -0600 Subject: [Openvas-discuss] Packet logs and licensing Message-ID: <4917B43A.2060009@skullsecurity.net> Hi everybody, Just subscribed to this list because I have a question that I figure you guys have come across before. Hopefully you can save me some time (and a lawsuit or two :) ). I'm currently adding vulnerability checks to Nmap using the scripting engine. So far, I've been basing them on scripts that people put online without licensing (I don't base them on the code, just on the network traffic). I'd like to add support for other Windows vulnerabilities, though. For example, having a check for ms06-040 would be really nice. However, I can't find any free checkers (and even GPL, without special accommodations, is incompatible with Nmap's license). Even with ms08-067, I'm using a check that's used by Metasploit, but it crashes over 50% of systems, which is definitely not good. Foundstone and Nessus have better ones, but their licensing makes it prohibitive. Which leads me to my question -- I have no interest in looking at the source for checks done by, say, Foundstone or Nessus. However, looking at their network traffic and reproducing their checks can be extremely helpful. But I don't know how licensing works, in this case -- does the licensing on their code apply to network traffic with Windows, or does the licensing end at the sourcecode level? I'd like to add the same checks as them at the traffic level, but I don't want to violate licenses. Can somebody here tell me where the line between violations/fair use is drawn in this case? With the nature of OpenVAS, you must have run across this before. Thank you kindly! Ron -- Ron Bowes http://www.skullsecurity.org/ From timb at nth-dimension.org.uk Mon Nov 10 09:16:10 2008 From: timb at nth-dimension.org.uk (Tim Brown) Date: Mon, 10 Nov 2008 08:16:10 +0000 Subject: [Openvas-discuss] Packet logs and licensing In-Reply-To: <4917B43A.2060009@skullsecurity.net> References: <4917B43A.2060009@skullsecurity.net> Message-ID: <200811100816.10412.timb@nth-dimension.org.uk> On Monday 10 November 2008 04:10:34 Ron wrote: > Hi everybody, > > Just subscribed to this list because I have a question that I figure you > guys have come across before. Hopefully you can save me some time (and a > lawsuit or two :) ). > > I'm currently adding vulnerability checks to Nmap using the scripting > engine. So far, I've been basing them on scripts that people put online > without licensing (I don't base them on the code, just on the network > traffic). > > I'd like to add support for other Windows vulnerabilities, though. For > example, having a check for ms06-040 would be really nice. However, I > can't find any free checkers (and even GPL, without special > accommodations, is incompatible with Nmap's license). Even with > ms08-067, I'm using a check that's used by Metasploit, but it crashes > over 50% of systems, which is definitely not good. Foundstone and Nessus > have better ones, but their licensing makes it prohibitive. > > Which leads me to my question -- I have no interest in looking at the > source for checks done by, say, Foundstone or Nessus. However, looking > at their network traffic and reproducing their checks can be extremely > helpful. But I don't know how licensing works, in this case -- does the > licensing on their code apply to network traffic with Windows, or does > the licensing end at the sourcecode level? > > I'd like to add the same checks as them at the traffic level, but I > don't want to violate licenses. > > Can somebody here tell me where the line between violations/fair use is > drawn in this case? With the nature of OpenVAS, you must have run across > this before. The licensing will be in relation to the source code, OTOH you need to be in a position where you have a license on the source code that allows you to execute it for the purposes you have outlined. That means for example that if you're working on nmap scripts for $corp based on Nessus, that $corp has an appropriate license to allow generation of packets from Nessus. Note also that depending on your locality, various EULA could have further impact on how you are allowed to use the results (such as packet captures) from commercial tools. Just for kicks, my colleague is the one who wrote the original code (http://labs.portcullis.co.uk/application/ms08-067-check/) on which Metasploits check for MS08-067 is based so I could probably get it ported relatively easily. OTOH, the check we (OpenVAS) use is based on earlier packet analysis by one of the guys in India of traffic captured by myself using a port of the original POC to Samba's RPC client (http://www.nth-dimension.org.uk/blog.php?id=72). Traditional reverse engineering style really, one person examines the code, documents (in this case as .pcap's) what happens and then someone else goes off and writes the check. Essentially, the checks *I* write are either for things I have discovered, things where I can write a check based on an advisory, or things where I can reverse engineer what is going on from packet level dumps. For obvious reasons, I stay clear of looking at how Nessus 3.x does things. Cheers, Tim -- Tim Brown From jan-oliver.wagner at intevation.de Mon Nov 10 09:32:43 2008 From: jan-oliver.wagner at intevation.de (Jan-Oliver Wagner) Date: Mon, 10 Nov 2008 09:32:43 +0100 Subject: [Openvas-discuss] Packet logs and licensing In-Reply-To: <4917B43A.2060009@skullsecurity.net> References: <4917B43A.2060009@skullsecurity.net> Message-ID: <200811100932.45889.jan-oliver.wagner@intevation.de> Hello Ron, On Montag, 10. November 2008, Ron wrote: > Just subscribed to this list because I have a question that I figure you > guys have come across before. Hopefully you can save me some time (and a > lawsuit or two :) ). well, we can't obviously give legal advice. Share some thoughts and experiences at maximum. > I'm currently adding vulnerability checks to Nmap using the scripting > engine. So far, I've been basing them on scripts that people put online > without licensing (I don't base them on the code, just on the network > traffic). > > I'd like to add support for other Windows vulnerabilities, though. For > example, having a check for ms06-040 would be really nice. However, I > can't find any free checkers (and even GPL, without special > accommodations, is incompatible with Nmap's license). Even with > ms08-067, I'm using a check that's used by Metasploit, but it crashes > over 50% of systems, which is definitely not good. Foundstone and Nessus > have better ones, but their licensing makes it prohibitive. > > Which leads me to my question -- I have no interest in looking at the > source for checks done by, say, Foundstone or Nessus. However, looking > at their network traffic and reproducing their checks can be extremely > helpful. But I don't know how licensing works, in this case -- does the > licensing on their code apply to network traffic with Windows, or does > the licensing end at the sourcecode level? > > I'd like to add the same checks as them at the traffic level, but I > don't want to violate licenses. > > Can somebody here tell me where the line between violations/fair use is > drawn in this case? With the nature of OpenVAS, you must have run across > this before. you definitely can forget about Tenable (Nessus). They are developing non-free NASL code which you are not allowed to modifiy and publish as Free Software. They likely will approach you even if you take just a couple of lines. Best Jan -- Dr. Jan-Oliver Wagner Intevation GmbH, Osnabr?ck Amtsgericht Osnabr?ck, HR B 18998 http://www.intevation.de/ Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner From ron at skullsecurity.net Mon Nov 10 20:49:55 2008 From: ron at skullsecurity.net (Ron) Date: Mon, 10 Nov 2008 13:49:55 -0600 Subject: [Openvas-discuss] Packet logs and licensing In-Reply-To: <200811100816.10412.timb@nth-dimension.org.uk> References: <4917B43A.2060009@skullsecurity.net> <200811100816.10412.timb@nth-dimension.org.uk> Message-ID: <49189063.9020506@skullsecurity.net> Tim Brown wrote: > On Monday 10 November 2008 04:10:34 Ron wrote: > > The licensing will be in relation to the source code, OTOH you need to be in a > position where you have a license on the source code that allows you to > execute it for the purposes you have outlined. That means for example that > if you're working on nmap scripts for $corp based on Nessus, that $corp has > an appropriate license to allow generation of packets from Nessus. Note also > that depending on your locality, various EULA could have further impact on > how you are allowed to use the results (such as packet captures) from > commercial tools. I don't have a whole lot of interest in writing scripts specifically for $corp, I'm writing them for Nmap and releasing them under Nmap's modified GPL license. That makes it incompatible with most other licenses, which is why I ask. I do have licenses for running Nessus and Foundstone, but obviously not the sourcecode. Id on't know, however, how I'd be allowed to use results (like packet caps) -- maybe I'll take a look at their licenses. > Just for kicks, my colleague is the one who wrote the original code > (http://labs.portcullis.co.uk/application/ms08-067-check/) on which > Metasploits check for MS08-067 is based so I could probably get it ported > relatively easily. OTOH, the check we (OpenVAS) use is based on earlier > packet analysis by one of the guys in India of traffic captured by myself > using a port of the original POC to Samba's RPC client > (http://www.nth-dimension.org.uk/blog.php?id=72). Traditional reverse > engineering style really, one person examines the code, documents (in this > case as .pcap's) what happens and then someone else goes off and writes the > check. I think that's more what I was getting at. When you say "examines the code", do you mean the code for the exploit or for the vulnerability? Like, if I log metasploit's exploit attempt, and base something on that, am I then bound to metasploit's license? (I'm aware that Metasploit's new license should make that moot, but I was using it as an example). My current check for ms08-067 is based on one that I found in a .py script floating around, and it's the same one that was incorporated into Metasploit. Basically, "\AAA...A\..\n", iirc. I don't *think* I violated any licenses using that, but licensing is hairy business, and vuln checking seems pretty competitive. > > Essentially, the checks *I* write are either for things I have discovered, > things where I can write a check based on an advisory, or things where I can > reverse engineer what is going on from packet level dumps. For obvious > reasons, I stay clear of looking at how Nessus 3.x does things. So do you figure that packet-level dumps are generally ok to use? Generally, if I can't do it from a packet-level dump, then I probably won't be able to do it from sourcecode. On that topic, I don't know what your MS RPC checks are like right now (that's what I'm working on), but what are your thoughts on basing Nmap checks on OpenVAS scripts? Because Nmap uses a non-standard license based on (but technically incompatible with) GPL, whoever owns the copyright on the OpenVAS scripts would have to grant permission (at least, that's how I understand it) before they can be included with Nmap. Who could I talk to about that one? I'd definitely give credit and all that. The other options is that I could release the scripts separately from Nmap with a proper GPL, but there's no clean way of doing that, right now, so I want to avoid it. > > Cheers, > Tim Thanks for your time! Ron -- Ron Bowes http://www.skullsecurity.org/ From robertrose.org at gmail.com Fri Nov 14 06:42:22 2008 From: robertrose.org at gmail.com (Robert Rose) Date: Fri, 14 Nov 2008 16:42:22 +1100 Subject: [Openvas-discuss] Web client Message-ID: <8cb8f6780811132142t24a4a42o2cb36fc22978f295@mail.gmail.com> Hi all, I've just got OpenVAS version 2 beta installed & running on CentOS, I'm most impressed! I'm wondering if there is a web client planned, similar to NessusWC ? Rob. From jan-oliver.wagner at intevation.de Fri Nov 14 11:34:16 2008 From: jan-oliver.wagner at intevation.de (Jan-Oliver Wagner) Date: Fri, 14 Nov 2008 11:34:16 +0100 Subject: [Openvas-discuss] Web client In-Reply-To: <8cb8f6780811132142t24a4a42o2cb36fc22978f295@mail.gmail.com> References: <8cb8f6780811132142t24a4a42o2cb36fc22978f295@mail.gmail.com> Message-ID: <200811141134.18679.jan-oliver.wagner@intevation.de> On Freitag, 14. November 2008, Robert Rose wrote: > I've just got OpenVAS version 2 beta installed & running on CentOS, > I'm most impressed! thanks :-) > I'm wondering if there is a web client planned, yes. My personal idea is to have one based on OpenVAS 3.0. And I'd like to start the 3.0-beta cycle in spring 2009. We have no resources for a web client development yet (neither financially nor (wo)man-power), but Intevation will prepare ground to allow for writing a web client. > similar to NessusWC ? don't know. I am not looking the Nessus stuff at all. Best Jan -- Dr. Jan-Oliver Wagner Intevation GmbH, Osnabr?ck Amtsgericht Osnabr?ck, HR B 18998 http://www.intevation.de/ Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner From kost at linux.hr Fri Nov 14 13:47:45 2008 From: kost at linux.hr (Vlatko Kosturjak) Date: Fri, 14 Nov 2008 13:47:45 +0100 Subject: [Openvas-discuss] OpenVAS and backtrack Message-ID: <491D7371.1030400@linux.hr> As OpenVAS is not in Backtrack 3 by default (yet!). You can download lzm module or download remastered backtrack3 which includes OpenVAS lzm (it still fits on 700 Mb CD). It's good way of testing OpenVAS in case you want to try it out. And also if you want to write (and test) NASL checks, but you don't have development enviroment ready. Read more and download here: http://www.openvas.org/openvas-bt.html Hope it helps! Kost PS Christian Eric - this is for you ;) From nisudoj at yahoo.com Fri Nov 14 19:21:16 2008 From: nisudoj at yahoo.com (NISU DOJ) Date: Fri, 14 Nov 2008 10:21:16 -0800 (PST) Subject: [Openvas-discuss] openvas plugins and NVT Message-ID: <249079.90618.qm@web53609.mail.re2.yahoo.com> I have installed openvas plugins 1.0.3 and ran the nvt rsync command to see if I get any new plugins.? So far it shows around 12502. When I installed plugins 1.0.4, it still shows 12502. Are the plugins not installing correctly? I restart the openvasd and still shows same number. Any ideas? Thank you -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.wald.intevation.org/pipermail/openvas-discuss/attachments/20081114/96c36b99/attachment.html From tnguyen at slacker.com Fri Nov 14 20:05:26 2008 From: tnguyen at slacker.com (Toan Nguyen) Date: Fri, 14 Nov 2008 11:05:26 -0800 Subject: [Openvas-discuss] openvas plugins and NVT In-Reply-To: <249079.90618.qm@web53609.mail.re2.yahoo.com> Message-ID: <40AB5A80E5E562409254E65CBACFE2BD02DE0CAD@BBMAIL.corp.bbi.com> When you ran the openvas-nvt-sync script, did you see the list of files it was downloading? Did the username that ran rsync have proper permissions to write to the plugins dir? ________________________________ From: openvas-discuss-bounces at wald.intevation.org [mailto:openvas-discuss-bounces at wald.intevation.org] On Behalf Of NISU DOJ Sent: Friday, November 14, 2008 10:21 AM To: openvas-discuss at wald.intevation.org Subject: [Openvas-discuss] openvas plugins and NVT I have installed openvas plugins 1.0.3 and ran the nvt rsync command to see if I get any new plugins. So far it shows around 12502. When I installed plugins 1.0.4, it still shows 12502. Are the plugins not installing correctly? I restart the openvasd and still shows same number. Any ideas? Thank you -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.wald.intevation.org/pipermail/openvas-discuss/attachments/20081114/8f74720a/attachment.htm From michael.wiegand at intevation.de Mon Nov 17 10:29:57 2008 From: michael.wiegand at intevation.de (Michael Wiegand) Date: Mon, 17 Nov 2008 10:29:57 +0100 Subject: [Openvas-discuss] openvas plugins and NVT In-Reply-To: <249079.90618.qm@web53609.mail.re2.yahoo.com> References: <249079.90618.qm@web53609.mail.re2.yahoo.com> Message-ID: <20081117092956.GC21680@intevation.de> * NISU DOJ [14. Nov 2008]: > I have installed openvas plugins 1.0.3 and ran the nvt rsync command to see if I get any new plugins.? So far it shows around 12502. > When I installed plugins 1.0.4, it still shows 12502. > Are the plugins not installing correctly? > I restart the openvasd and still shows same number. Hello, I'm not quite sure if I understand your problem correctly, but the openvas-nvt-sync command will always fetch the latest collection of NVTs from the OpenVAS Feed Services. Right now, the plugin releases are only snapshots of the OpenVAS Feed with a few additional scripts. So independent of the release of openvas-plugins you are using, a call to openvas-nvt-sync should always result in the same number of NVTs in your plugins directory since the Feed is the same for all versions. If I understand you correctly, you did two synchronizations with the same feed, which should indeed result in the same number of available NVTs/plugins. Regards, Michael -- Michael Wiegand | OpenPGP key: D7D049EC | http://www.intevation.de/ Intevation GmbH, Neuer Graben 17, 49074 Osnabr?ck | AG Osnabr?ck, HR B 18998 Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner From timb at nth-dimension.org.uk Mon Nov 17 23:57:22 2008 From: timb at nth-dimension.org.uk (Tim Brown) Date: Mon, 17 Nov 2008 22:57:22 +0000 Subject: [Openvas-discuss] Web client In-Reply-To: <200811141134.18679.jan-oliver.wagner@intevation.de> References: <8cb8f6780811132142t24a4a42o2cb36fc22978f295@mail.gmail.com> <200811141134.18679.jan-oliver.wagner@intevation.de> Message-ID: <200811172257.22667.timb@nth-dimension.org.uk> On Friday 14 November 2008 10:34:16 Jan-Oliver Wagner wrote: > On Freitag, 14. November 2008, Robert Rose wrote: > > I've just got OpenVAS version 2 beta installed & running on CentOS, > > I'm most impressed! > > thanks :-) > > > I'm wondering if there is a web client planned, > > yes. My personal idea is to have one based on OpenVAS 3.0. > And I'd like to start the 3.0-beta cycle in spring 2009. > We have no resources for a web client development yet (neither > financially nor (wo)man-power), but Intevation will prepare ground > to allow for writing a web client. > > > similar to NessusWC ? Has anyone looked at Auto Nessus - http://www.autonessus.com/ - Seems like an interesting project in this sphere and FOSS (GPLv3) too. Maybe someone would like to contact them? Cheers, Tim -- Tim Brown From kost at linux.hr Tue Nov 18 09:22:10 2008 From: kost at linux.hr (Vlatko Kosturjak) Date: Tue, 18 Nov 2008 09:22:10 +0100 Subject: [Openvas-discuss] Web client In-Reply-To: <200811172257.22667.timb@nth-dimension.org.uk> References: <8cb8f6780811132142t24a4a42o2cb36fc22978f295@mail.gmail.com> <200811141134.18679.jan-oliver.wagner@intevation.de> <200811172257.22667.timb@nth-dimension.org.uk> Message-ID: <49227B32.4060602@linux.hr> Tim Brown wrote: >>> similar to NessusWC ? > Has anyone looked at Auto Nessus - http://www.autonessus.com/ - Seems like an > interesting project in this sphere and FOSS (GPLv3) too. Maybe someone would > like to contact them? I've already contacted him. Autonessus is giving delta of scans. I think it is not real client. But, there is three clients available: Already mentioned NessusWC: http://www.frank4dd.com/sw.htm Inprotect: http://inprotect.sourceforge.net/ Bilbo: http://www.crossley-nilsen.com/Linux/Bilbo_-_Nessus_WEB/bilbo_-_nessus_web.html Maybe it's worth contacting them also. Kost From eric at nixwizard.net Thu Nov 20 04:48:18 2008 From: eric at nixwizard.net (Eric Gearhart) Date: Wed, 19 Nov 2008 20:48:18 -0700 Subject: [Openvas-discuss] Would the project be interested in a Debian Etch OpenVZ template? Message-ID: <5792267e0811191948y3454d6c5oc6548f1b816de3a9@mail.gmail.com> I've build an OpenVZ template that contains an install of OpenVAS (the pacakges openvas-libnasl, openvas-libraries, openvas-plugins & openvas-server are installed). I can provide the template if the project would like to include it as a download. More info on OpenVZ is available here: http://wiki.openvz.org/Main_Page In a nutshell, OpenVZ provides OS-level virtualization (grown-up versions of chroot jails) and lets you run multiple instances of Linux on the same box, partitioned from each other (they can even be different distributions of Linux - but the kernel remains the same across all "virtual environments" or VEs) Example templates can be found here: http://wiki.openvz.org/Download/template/precreated Basically what I've done is taken the Debian Etch template, installed build-essentials (for gcc, make, etc) and other needed packages (gpgme, bison, etc) and taken a snapshot of the container Either way, thanks for the project! GPL'd, open vulnerability assessment is definitely needed. -- Eric http://nixwizard.net -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.wald.intevation.org/pipermail/openvas-discuss/attachments/20081119/d9026a72/attachment.html From eric at nixwizard.net Thu Nov 20 16:26:34 2008 From: eric at nixwizard.net (Eric Gearhart) Date: Thu, 20 Nov 2008 08:26:34 -0700 Subject: [Openvas-discuss] OpenVZ template for Debian Etch Message-ID: <5792267e0811200726m293ed1f6m4affdfd1afd7d243@mail.gmail.com> I've build an OpenVZ template that contains an install of OpenVAS (the pacakges openvas-libnasl, openvas-libraries, openvas-plugins & openvas-server are installed). I can provide the template if the project would like to include it as a download. More info on OpenVZ is available here: http://wiki.openvz.org/Main_Page In a nutshell, OpenVZ provides OS-level virtualization (grown-up versions of chroot jails) and lets you run multiple instances of Linux on the same box, partitioned from each other (they can even be different distributions of Linux - but the kernel remains the same across all "virtual environments" or VEs) Other example templates can be found here: http://wiki.openvz.org/Download/template/precreated Basically what I've done is taken the Debian Etch template, installed build-essentials (for gcc, make, etc) and other needed packages (gpgme, bison, etc) and taken a snapshot of the container Either way, thanks for the project! GPL'd, open vulnerability assessment is definitely needed. -- Eric http://nixwizard.net -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.wald.intevation.org/pipermail/openvas-discuss/attachments/20081120/5add95c5/attachment.html From michael.wiegand at intevation.de Fri Nov 21 09:52:24 2008 From: michael.wiegand at intevation.de (Michael Wiegand) Date: Fri, 21 Nov 2008 09:52:24 +0100 Subject: [Openvas-discuss] OpenVZ template for Debian Etch In-Reply-To: <5792267e0811200726m293ed1f6m4affdfd1afd7d243@mail.gmail.com> References: <5792267e0811200726m293ed1f6m4affdfd1afd7d243@mail.gmail.com> Message-ID: <20081121085224.GB24413@intevation.de> * Eric Gearhart [20. Nov 2008]: > I've build an OpenVZ template that contains an install of OpenVAS (the > pacakges openvas-libnasl, openvas-libraries, openvas-plugins & > openvas-server are installed). I can provide the template if the project > would like to include it as a download. Sounds exciting, packages like this are definitely useful for people who want to "test-drive" OpenVAS, but don't want to build it themselves. There has been some work on a VMware based virtual instance not to long ago, but I don't know if this still active. A slightly different approach is taken by the OpenVAS modules for Backtrack, built by kost a few days ago. > Basically what I've done is taken the Debian Etch template, installed > build-essentials (for gcc, make, etc) and other needed packages (gpgme, > bison, etc) and taken a snapshot of the container Is OpenVAS already installed and configured (-mkcert, -adduser) on the template? > Either way, thanks for the project! GPL'd, open vulnerability assessment is > definitely needed. Thanks for the kind words and thank you for your contribution! Regards, Michael -- Michael Wiegand | OpenPGP key: D7D049EC | http://www.intevation.de/ Intevation GmbH, Neuer Graben 17, 49074 Osnabr?ck | AG Osnabr?ck, HR B 18998 Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner From jan-oliver.wagner at intevation.de Fri Nov 21 10:23:39 2008 From: jan-oliver.wagner at intevation.de (Jan-Oliver Wagner) Date: Fri, 21 Nov 2008 10:23:39 +0100 Subject: [Openvas-discuss] Would the project be interested in a Debian Etch OpenVZ template? In-Reply-To: <5792267e0811191948y3454d6c5oc6548f1b816de3a9@mail.gmail.com> References: <5792267e0811191948y3454d6c5oc6548f1b816de3a9@mail.gmail.com> Message-ID: <200811211023.40078.jan-oliver.wagner@intevation.de> Am Thursday 20 November 2008 04:48:18 schrieb Eric Gearhart: > Either way, thanks for the project! GPL'd, open vulnerability assessment is > definitely needed. thank you! Such feedback motivates the active developers a lot! Best Jan From eric at nixwizard.net Sat Nov 22 03:42:08 2008 From: eric at nixwizard.net (Eric Gearhart) Date: Fri, 21 Nov 2008 19:42:08 -0700 Subject: [Openvas-discuss] OpenVZ template for Debian Etch In-Reply-To: <20081121085224.GB24413@intevation.de> References: <5792267e0811200726m293ed1f6m4affdfd1afd7d243@mail.gmail.com> <20081121085224.GB24413@intevation.de> Message-ID: <5792267e0811211842w17fe6baw5fd512c7efdd521@mail.gmail.com> On Fri, Nov 21, 2008 at 1:52 AM, Michael Wiegand < michael.wiegand at intevation.de> wrote: > * Eric Gearhart [20. Nov 2008]: > > I've build an OpenVZ template that contains an install of OpenVAS (the > > pacakges openvas-libnasl, openvas-libraries, openvas-plugins & > > openvas-server are installed). I can provide the template if the project > > would like to include it as a download. > > Is OpenVAS already installed and configured (-mkcert, -adduser) on the > template? > > Michael, Yes it's already completely configured... I even took it for a test drive on one of our local Linux boxes :) Should I just post a link to the OpenVZ template's tgz? Is there a file repo I should upload it to? (OpenVZ VEs are tarballs) -- Eric http://nixwizard.net -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.wald.intevation.org/pipermail/openvas-discuss/attachments/20081121/a1ce3f79/attachment.htm From michael.wiegand at intevation.de Mon Nov 24 08:56:20 2008 From: michael.wiegand at intevation.de (Michael Wiegand) Date: Mon, 24 Nov 2008 08:56:20 +0100 Subject: [Openvas-discuss] OpenVZ template for Debian Etch In-Reply-To: <5792267e0811211842w17fe6baw5fd512c7efdd521@mail.gmail.com> References: <5792267e0811200726m293ed1f6m4affdfd1afd7d243@mail.gmail.com> <20081121085224.GB24413@intevation.de> <5792267e0811211842w17fe6baw5fd512c7efdd521@mail.gmail.com> Message-ID: <20081124075620.GA17969@intevation.de> * Eric Gearhart [22. Nov 2008]: > Yes it's already completely configured... I even took it for a test drive on > one of our local Linux boxes :) Do you have a pre-defined static user for the template? In this case, you might want to consider letting the user set username and password when the VM starts up for security reasons, as discussed by kost and Patrick in this thread a while ago: http://lists.wald.intevation.org/pipermail/openvas-discuss/2008-September/000760.html > Should I just post a link to the OpenVZ template's tgz? Is there a file repo > I should upload it to? (OpenVZ VEs are tarballs) I think a link would be the easiest option for now, if you don't mind hosting the templates. Regards, Michael -- Michael Wiegand | OpenPGP key: D7D049EC | http://www.intevation.de/ Intevation GmbH, Neuer Graben 17, 49074 Osnabr?ck | AG Osnabr?ck, HR B 18998 Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner From jan-oliver.wagner at intevation.de Mon Nov 24 09:57:05 2008 From: jan-oliver.wagner at intevation.de (Jan-Oliver Wagner) Date: Mon, 24 Nov 2008 09:57:05 +0100 Subject: [Openvas-discuss] OpenVZ template for Debian Etch In-Reply-To: <5792267e0811211842w17fe6baw5fd512c7efdd521@mail.gmail.com> References: <5792267e0811200726m293ed1f6m4affdfd1afd7d243@mail.gmail.com> <20081121085224.GB24413@intevation.de> <5792267e0811211842w17fe6baw5fd512c7efdd521@mail.gmail.com> Message-ID: <200811240957.08249.jan-oliver.wagner@intevation.de> On Samstag, 22. November 2008, Eric Gearhart wrote: > Should I just post a link to the OpenVZ template's tgz? Is there a file repo > I should upload it to? (OpenVZ VEs are tarballs) we could add it here: http://www.openvas.org/openvas-server.html -- Dr. Jan-Oliver Wagner Intevation GmbH, Osnabr?ck Amtsgericht Osnabr?ck, HR B 18998 http://www.intevation.de/ Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner From joey at infodrom.org Tue Nov 25 20:08:55 2008 From: joey at infodrom.org (Joey Schulze) Date: Tue, 25 Nov 2008 20:08:55 +0100 Subject: [Openvas-discuss] Web client In-Reply-To: <200811141134.18679.jan-oliver.wagner@intevation.de> References: <8cb8f6780811132142t24a4a42o2cb36fc22978f295@mail.gmail.com> <200811141134.18679.jan-oliver.wagner@intevation.de> Message-ID: <20081125190855.GK12602@finlandia.home.infodrom.org> Jan-Oliver Wagner wrote: > > I'm wondering if there is a web client planned, > > yes. My personal idea is to have one based on OpenVAS 3.0. > And I'd like to start the 3.0-beta cycle in spring 2009. > We have no resources for a web client development yet (neither > financially nor (wo)man-power), but Intevation will prepare ground > to allow for writing a web client. Maybe one of you is going to Chemnitz next year and wants to propose this: http://lists.debian.org/debian-events-eu/2008/11/msg00010.html Regards, Joey -- If you come from outside of Finland, you live in wrong country. -- motd of irc.funet.fi Please always Cc to me when replying to me on the lists. From michael.wiegand at intevation.de Wed Nov 26 10:03:34 2008 From: michael.wiegand at intevation.de (Michael Wiegand) Date: Wed, 26 Nov 2008 10:03:34 +0100 Subject: [Openvas-discuss] Planning final release for Compendium 1.0 Message-ID: <20081126090334.GC22141@intevation.de> Hello, we had some valuable contributions to both the German and the English edition of the OpenVAS compendium and were able to remove quite a number of inconsistencies, typographic issues and spelling mistakes. I think the compendium is now ready for the "real" 1.0.0 release and I would like to release the final version as early as this week. If you are still in the process of proofreading and would like to submit patches for the compendium, please do contact me as soon as possible. If you haven't yet looked at the compendium, now is a very good time to do so. Additional proofreaders are more than welcome. Regards, Michael -- Michael Wiegand | OpenPGP key: D7D049EC | http://www.intevation.de/ Intevation GmbH, Neuer Graben 17, 49074 Osnabr?ck | AG Osnabr?ck, HR B 18998 Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner From mradams1 at gmail.com Wed Nov 26 15:11:14 2008 From: mradams1 at gmail.com (mradams1@gmail.com) Date: Wed, 26 Nov 2008 14:11:14 +0000 Subject: [Openvas-discuss] Password for ISO Message-ID: <00221532ce0c7544e2045c983362@google.com> Has anyone used the bt3-openvas.iso? The userid /password combo (root / toor) does not seem to work. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.wald.intevation.org/pipermail/openvas-discuss/attachments/20081126/fa95c66a/attachment.html